Posted
by
michael
on Friday February 21, 2003 @12:03PM
from the hacker-crackdown dept.

Bendebecker writes "Cnet is reporting: 'The nation's largest group of defense lawyers on Wednesday published a position paper arguing that people convicted of computer-related crimes tend to get stiffer sentences than comparable non-computer-related offenses.' Finally, someone is listening..." The document makes the points that most computer crime cases involve disputes between an employer and employee, and that the seriousness of the offense is generally comparable to white-collar fraud cases.

Since when are laywers a beacon for what a fair punishment should be? I thought a laywers job was to understand the law and to represent his/her client, not decide what's fair or not fair regarding the law.

Quite frankly given the number of laywers who do their best to circumvent the true spirit of the law I don't want them making any public statements on my behalf...

I thought a laywers job was to understand the law and to represent his/her client, not decide what's fair or not fair regarding the law.

Who says they are deciding. They are stating their opinion. It is up to legislators to create and modify the law and judges to uphold it. Lawyers just happen to be the most intimitately involved with both types of cases and therefore are qualified to state an opinion.

I would also point out that they are as free to state their opinion as you are.

"These are the guys that commonly lie in the courtroom to get the guilty off entirely".

What planet are you from? Do you know anything about law? Think about what you're saying for a second.

Lawyers don't make statements of fact, they present evidence to witnesses, the validity of which is then discussed in court. They call expert witnesses to testify when such testimony is needed. Apart from their opening statement and concluding remarks, they are not allowed to make speeches, or make unsubstantiated statements of fact as part of their cross-examination. Since they don't make statements of fact, how then do they lie?

The lawyers here are making the case that compared to other crimes causing similar levels of damage, and involving similar levels of malice/negligence, the convicted party receives a comparatively harsher penalty because there was a keyboard and processor involved, and their comments force lawmakers to justify the practice.

The level of penalties at present was decided upon arbitrarily, and not with reference to other similar crimes. Given the statement the lawyers have made, the lawmakers now have to go back and either reduce the penalty or explicitly state why it is that the penalties are higher.

This is a good thing regardless of what happens to the level of penalties because it forces the law to remain internally consistent - if you shoot someone for stealing a loaf of bread but let a multi-million dollar con-artist off with a caution, that's inconsistent - they're arguing the same occurs here, and it's worth ironing it out, for the sake of the people we're punishing. "Justice" is supposed to be even-handed.

Since when are laywers a beacon for what a fair punishment should be? I thought a laywers job was to understand the law and to represent his/her client, not decide what's fair or not fair regarding the law.

Also, think about this. Whenever the two sides work out a plea bargain rather than going to court, you basically have 2 lawyers hashing out what is a fair penalty for the crime involved.

So, in response to your statement, I would have to say that lawyers have always been the beacon for what fair punishment should be since the modern criminal system came into being.I'm sure it's fun to take potshots at lawyers, but you need to realize that they do run the system to a large extent.

>the guy goes to jail for 30 days and people are>out of work.... what justice is that.

Absolutely zero:

How much time did the MIS manager and CTO do? They share the responsibility for not securing the system. If the risks are that great, then not adequately protecting against those risks is criminal neglect.

(*) If anyone has a problem with me accusing the US government of being corrupt, feel free to explain the rationale for letting rapists and murderers go free while non-violent drug offenders.

Well, who goes free and who gets convicted is a function of a randomly chosen population sample, not the government. Plus, if they follow the law, no matter what the laws says, then they're not "corrupt" in the "not doing their jobs" sense.

If a state government wanted to pass a puritanical "no kissing in public" law, they'd be well within their jurisdiction to do so, and the officers and judges and lawyers carrying out this law wouldn't be corrupt.

I agree that extremely violent offenses such as rape and murder should, without exception, give higher sentences than any other kind of crime. But that doesn't mean that a government that puts drug offenders and prank-hackers in jail for twice what the average rate for murderers is corrupt. Extreme, maybe, but not corrupt.

(And if you counter with "will of the people", I'll want to know an update on the status of the movement for a constitutional amendment requiring equitable and fair sentencing throughout the country.)

Certainly. Furthermore, there should be some inquiry into how much damage was actually done by the theft of the credit cards. Say you broke into Visa, downloaded their entire database of usable cards, and stored it on your computer. Now what?

If you immediately deleted the database, and sent Visa an explanation of the vulnerability, you should certainly be less liable than if you posted it on your FTP site, or wrote a small shell script telling Amazon.com to send every Visa holder a copy of "Curious George Goes to the Potty."

As things stand now, the prosecutor would just brew up an "analysis" showing that you cost Visa $500,000,000, point out that you're a terrorist, and sentence you to life in solitary (so that you don't manage to escape, gain access to a payphone, and start a nuclear war).

If you immediately deleted the database, and sent Visa an explanation of the vulnerability, you should certainly be less liable than if you posted it on your FTP site, or wrote a small shell script telling Amazon.com to send every Visa holder a copy of "Curious George Goes to the Potty." As things stand now, the prosecutor would just brew up an "analysis" showing that you cost Visa $500,000,000, point out that you're a terrorist, and sentence you to life in solitary (so that you don't manage to escape, gain access to a payphone, and start a nuclear war).

Right... Visa should take a hacker's word that they've deleted the database and that they didn't leave any backdoors to get back in again later, because we all know someone who'd break into your system is someone you should trust.

Visa would be extremely neglectful if they didn't take every action at their disposal to minimize damage in the wake of an intrusion. This means reissuing all the compromised cards, reinstalling every machine even remotely related to the one compromised, implementing new policies to detect a similar intrusion in the future. None of this is cheap.

You are not doing Visa a favor by breaking into their system because you're costing them almost as much as it would cost them if someone broke in and did exploit the hell out of those card numbers. Think about it.... do you want someone throwing rocks through your windows (breaking them in the process) just to show you the vulnerabilities in your house?

Say you deface walmart.com or amazon.com. They track how much sales are done per hour, how many visits the site gets per actual perchase. If during the time that the website is defaced they can show a drop in those stats then were they not robbed of income? Do they not deserve to recoup said loss?

If you spray painted the outside of walmart with the words "CLOSED - BUILDING UNSAFE" and they lost a days sales because of it would they not be deserve to recoup said loss?

Honestly I have no sympathy for hackers or any other type of white collar crime. Most all of them get far too light a sentence IMHO. So do many violent criminals as well. We spend so much of our time locking up drug users and dealers, while drunk drivers get off that we can't properly deal with REAL crimes.

Anyone remember the old Star Trek episode "I Mudd"

(Not an exact quote.)

MUDD: Do you know what the pentalty for fraud is on Deneb V?SPOCK: The accused has a choice, death by phaser, death by hanging, death by electrocution...MUDD: The key word in your diatribe Mr. Spock is "death".

I'd look at it this way; you broke into the house to steal a TV, but on your way out you slipped into the china cupboard and accidently broke a Han Dynasty era vace worth 1.2 million.

I suggest you actually READ the PDF. Your $1.2 million vase is NOT broken. The entire point of the article is that computer related law is broken.

If some kid sneaks in, watches some TV and leaves. he does NOT berak your vase. The crime is a misdemeanor. The economic damage is zero. This is sentenced as a "Base Offense Level" 6 misdemeanor. Perfectly reasonable.

Now lets look at what computer law does:

The kid didn't touch your cupboard or vase, but you decided you needed a cupboard with a lock for $5000. This counts against the kid and he gets +2 on the base offense level for $5000 in "damages". It now becomes a FELONY.

Then there is a +2 on the offence level for using a "special skill".

Then there is a +2 on the offence level for using "sophisticated means".

The kid did he not intend to cause any harm. The kid in fact did not cause any harm. So now a harmless prank that is supposed to be a level 6 misdemeanor is actually treated as a level 12 felony. THAT is the point they are making.

They also want to make sure this harmless prank doesn't get sentenced as TERRORISM. They don't go deeply into this topic, but they are also opposing certain "computer-terrorism" laws and proposed laws. They essentially make it terrorism for a kid to throw a snowball across state lines at a supermarket. The DOJ claims this is acceptable because they promise it will only be used in "appropriate cases". Pardon me, but I don't think a misdemeanor harmless prank should EVER be within the scope of a terrorism law.

Another problem they mention is one that came up in the Mitnick case. The kid takes a photo of your vase. The kid never shows the photo to anyone. Here's how computer law meaures this "vase theft": You paid $1000 for the vase, but you bought it on a $50,000 vacation. You later realize the vase is worthless and give it to the salvation army for free. According to computer-law taking the photo caused $51,000 in economic damages.

In the Mitnick case he copied software. If they had to spend money repairing damage Mitnick had done then there would be economic damage. If Mitnick had sold or given the software away then there would be economic damage from last sales. Yes, Mitnick broke the law, but the fact that he was charged and punnished based on tens or hundreds of millions in economic damages when the actual figure was zero damage was absurd.

And yes, one of the companies did in fact decide to give the software away for free (and it had nothing to do with Mitnick). Care to explain how he caused millions of dollars of damage by making a single copy of $0 software?

So if I am distracted while I am driving and I accidently run over someone and they die, I should get the chair because "hey, the crime of killing a person is equal to the crime of killing a person"? Hacking into someone's webserver and adding the line to their webpage that I own their box should equal a punishment but that punnishment should not be the same as hacking into a computer and deleting their harddrive or changing the balance in my bank account. It's like saying that every theif should get ten years in prison regardless of what they stole; it sound nice on paper but do you really think anyone should go to jail for ten years for stealing a candybar?

Those convicted "are receiving sentences based on the fear of the worst-case scenario rather than what the case may really be about," Granick said.

In many cases, the victim would be ignored if s/he didn't over-state the actual damages. I've heard victim after victim (right here on slashdot) state that they've went to the FBI/local officials, and were denied help because the actual damages didn't add up to a certain amount.

No wonder victims are overstating the problem, it's because they don't like being ignored.

However, the punishment in my case was extremely harsh and did not fit the crime. I equate my illegal actions not to a person who molests children or burglarizes a house (I heard these specious analogies before), but to a person who illegally copies software.

The difference in my case is the software was proprietary. I was not an industrial spy, nor did I ever attempt to profit or damage any systems or information that I had illegally accessed. The government falsely claimed I had caused millions of dollars of loss, in an effort to demonize me in the press and the court. The truth of the matter is I regretfully did cause losses, but nowhere near a million dollars. The theory the government used to reach those numbers was to use the same formula for traditional theft or fraud cases. When a person steals money or property, the Federal Sentencing Guidelines use the value of the property lost, damaged, or destroyed as the loss amount. This formula works well with tangible property, but when the property at issue is information, or in my case source code, does the same formula reflect the true intended or actual loss? The government requested that my victims provide their research and development costs as the value of the information I either copied, or reviewed online (source code). Federal prosecutors simply added up all the R&D costs associated with the source code I had accessed, and used that number (approx $300 million) as the loss, even though it was never alleged that I intended to use or disclosed any source code. Interestingly enough, none of my victims had reported any losses attributable to my activities to their shareholders, as required by securities laws. Unfortunately, due to media hyperbole, the unknowing public believes I had caused these tremendous losses.

Suffice it to say, we need to find a compromise where we can accurately represent the loss of intellectual property without undually exaggerating its (non-material) worth.

the solution would be a requirement of PROVING damages. an invoice from "overpriced security fixer-uppers" for $21,985.31 to install W2K sp3 to fix that hole that script-kiddie4 used to get in are proveable damages... the "we lost $295,997,667,342.87 because he MAY HAVE copied a file" needs to be called bullcrap by everyone involved.

if you cannot produce an invoice or legitimate quote for repair/losses then you are told to shut up would fix every bit of this.

We all know that white collar crime gets punished a whole lot less, but is that right ? Why shouldn't execs from the likes of Enron, WorldCom et al be looking at life behind bars for the havoc they have reaked ? Well because there really is a different set of laws for the rich. Sure they might even get 15 years in the cases of these massive frauds, but is this enough given the damage they have caused ?

So maybe the problem is that white collar crime is punished too little, rather than hacking is punished too much. Maybe having sentences for theft, fraud etc (of any kind not involving actual violent which already has punishments) should be related to the amount of money stolen.

The error in your reasoning is the presumption that increased jail terms will deter this type of crime. Research shows [cfenet.com] that the vast majority of people who commit crimes like this don't think they'll get caught. It's highly unlikely they are even aware of what the potential sentence may be, so making it larger doesn't help.

"The error in your reasoning is the presumption that increased jail terms will deter this type of crime."

The error in your reasoning is the presumption that criminal penalties are imposed in order to deter crime.

Given the high rate of recivitism it should be obvious that jail time never deters crime. The purpose of punishment is to get dangerous people off the streets and into an evirnonment where they will not do further damage to the general population.

That's true! In fact, most societies would forgive you if you shot and killed someone who was busy carving up their friend with a knife. Do you know of any that would do the same for someone who shot a hacker? So why is it that hackers can be held for five years without being charged as KM was?

Punishment should fit crime, and ordinary rules of presumed innocence need to be applied in cases of suspected computer crime. As things are, any with-it employer could be frighfully abusive if they wanted.

In fact, this wonderful "tough on crime" administration we have in this country has seen violent crime rates rise to their highest levels in more than 12 years. . . gee, didn't we have a "tough on crime" Republican president 12 years ago too?

I used to (note: past tense) belong to a small group of website defacers during my script-kiddie period. Three people and about 160 websites in a month. During about 4 months, one of us got 2 phone calls telling him to stop and two cases of soft drinks for pointing out a flaw in some company's online security. I got one warning on IRC. The third guy got away clean.

I believe it would be better off to just go and steal stuff old school than to do it via hacking.

Hint Hint Your are more likely to get your Credit Card number stolen by giving your card to the waiter/waitress in a restaurant to have the bill paid than by having it stolen over the net!

That is fraud though. . . . maybe identity theft? A better defining line needs to be made up, not all that happens over a computer is "hacking", intent should be judged as well as actions. If a person goes into a bank pointing a gun it is not automaticaly a bank robbery, it could very well be a hostage situation. Intent, ya know?

It's because lawmakers have no idea what hacking is. All they know is that the news and their handlers and their real constituents (donors) say it's very bad. It's just like way back in the day when people were put in institutions for being depressed. No one knew why they were depressed so they just put them away.

Now, I'm not saying that hacking others' equipment is good. I'm just saying that the punishment should fit the crime, not get 10 years in jail because you made the RIAA website say they love mp3s instead of money.

I do no understand this type of argument. It implies that if I don't program, I can't write appropriate laws. There is an old saying about all the jokes were written long ago, all we do is change the names and the places, It's the same way with crime. All the basic types of crime were listed in the Ten Commandants. All technology has done is provide new ways of committing those same crimes.

Depending on exactly what the hacker does, we're talking about vandalism, or thief, or trepassing using a new technique. When bank robbers moved from horses to cars was it important that lawmakers have a detailed understanding of cars before writing applicable laws? When copyright laws moved from covering just books to motion pictures, did lawmakers require a detailed understanding of how motion pictures are created? Does it really matter the exact technical approach used to commit the crime? I don't think so. Vandalism is vandalism. It doesn't matter whether I use can of spraypaint or I hack into the web server. It costs the company money to fix. The dollar value of the damage should drive the punishment.

Its the inability to impose proper sentences for violent criminals and drug offenders. I have no sympathy for people invading companies computers for whatever reason and they should be punished harshly. I have better things to do on my weekends then combat those assholes. But there is a need for reform in the way punishment is administered for violent criminals and longer sentences need to be handed out.

If I break into someone's house, I'll be charged with breaking and entering, and with trespassing.

If I hack into someone's network and don't even do anything but look around, I'm charged with causing losses of millions. I'm charged with stealing any sensitive content I gained access to whether or not I even looked at it. Not to mention they'll slap all the cybercrime and terrorism laws they can find down on me too. It has nothing to do with the severity of the laws, just that you get pinned with so many of them.

What if you were to break into a bank vault? Not take anything, just break in and look around? You'd be up shit creek without a paddle. How about breaking into a military base "just to look around"? How about breaking into a casino's back rooms?

In case you haven't noticed, you can't just go where ever you want just to look around.

I can see that sometimes the claims of damage in online crimes can be ridiculously high. However, if the claims of damage is reasonable, I don't see why the punishment should be any lesser than any other crime.

I think white-collar criminals are already getting far less punishments than they should. How could someone who screws up the millions of dollars from their employees be subjected to punishment comparable to shoplifters or burglars?

I think you're on to something here. Believe it or not, starting with Aquinas (maybe even earlier) most responsible Medieval theologians had serious doubts about Witchcraft per se -- and that didn't matter because the common people believed that witches had these horrible powers. The image of these powers was informed by fairy tales and the like -- the popular media of the day -- rather than by responsible sources.

Very similarly, the popular image of 'Hackers' is formed by films like 'the net' or even 'the Matrix'. People believe that Hackers are capable of all kinds of perfidy, not because they have heard so from a responsible source or understand the issues involved, but because their fears have been ramped out of proportion by the popular media. (This is not to say that there were not some very serious ecclesiastical figures behind some of the witch burnings - just that Witch trials were really driven by the public, not generally by the church.)

One time, I was on a mailing list. The mailing list was using a Windows Listserv clone. Most people on the mailing list simply used a web interface to get on the mailing list; I, however, talked directly to the mailing list server to join the list.

Soon after getting on the list, someone on the list asked how many people were on the list. I told them.

At this point, all hell broke loose. They thought I broke in to the system. Fortunatly, the list administrator went to my mother's church; I don't want to think about what could have happened if she did not.

* * *

When the "I Love You" worm was spreading like wildfire, I was working for a dot-com security company called Pilot Networks (which is no more). Someone came up to me and asked me permission to forward me an email. I sais "Sure, why not?"

"Well, it's a dangerous virus"

"You know I use Linux and don't have to worry about such things"

"I know; it's just that everyone in the office is really afraid of this thing and do not even want to have it on their computer"

It seemed really strange to me that a computer security company did not have one person in their office willing to have a simple Visual Basic script on their computer.

Win9x admin: ostracized dude at the hell desk. Mantra: "have you tried to reboot?" Spells are secondhand and generally ineffective. Worships the devil and is usually cranky due to above mentioned lack of effeciency and understanding. Sometimes seems possesed. Practicioner of Voodoo.

Win Server Admin: Sometimes casts his own spells. Still worships the devil but may see the error of his ways. Less cranky because one or two spells actually work. Knows Voodoo, and some other Black arts

BSD/Unix Admin: A wide specturm of talents and dispositions. Worships nature, makes little noise and is very effective. Effectivly correlates cause and effect but will still make deals tith the devil. Druid/Alchemist

Linux/Unix Admin: Also a wide variety of talents and dispositions. Makes more noise than the BSD/Unix admin. Worships Nature but believes in higher powers and the law. Can be just as effective as BSD/Unix, very powerful but often thwarted by the Devil. Often persecuted by the Devil and his dupes. Martyr/Scientist

"... McOwen was charged under Georgia law with computer trespass. Facing up to 120 years in prison..."

A man installed a program that for all intent and purposes is a screen saver and he could have been forced to serve 120 years in prison had he not plea bargained. Clara Harris killed her husband with her Mercedes, was found guilty of 1st degree murder, and was only sentenced to 20 years (she'll get out in 10).

I think something is wrong with a system that gives you more time for installing a program that doesn't do any damage than it does for murdering a person in cold blood.

A symptom that copyrights are unenforceable, so the only way they can compensate is by fear mongering with draconian punishments. Our response should be to act in civil disobedience whenever possible. The sooner we force this thru, the sooner we can get on with the information age.

An 11 year old snuck into his classroom during lunch and changed some of his grades on his teacher's computer. He was caught and is now facing FELONY computer fraud charges. Tell me that's not a bit ridiculous.

No, it isnt ridiculous at all that he face the charges. He knew what he was doing was against the law when he did it. He comitted felony computer fraud, and is being charged with it.

What would be ridiculous would his being tried and convicted as an adult, and spending 10 years in a max security prison. But that wont happen, he'll get the warning and the incident will go into his sealed juvenile record.

IMO there's too much 'juveniles shouldnt be punished after all they're just kids' sentiment. Youngsters know this, and commit more and more crime knowing they wont be severely punished.

It would be ridiculous if the teacher gave him permission to use the computer, and in doing so he accidentally formatted the C: drive, or something like that. But if he knowingly committed a crime (which it would seem he did), he should be prosecuted for it.

So now schools get to pick and choose which cases they turn over to the cops? It's ok for someone to be the victim of a Assault and Battery, but it's a FELONY to cheat now? And that's all this was, remember, cheatting. It's not a felony to use a pencil to alter your grade in the paper gradebook. Why is it a felony to do it on the computer?Punishment should have been handled by the administration and the kids parents this was NOT a metter for the cops.

The issue isn't tough sentencing for hackers. The issue is that white collar criminals get off light.

Hacking is not a white collar crime. When I think of white collar crime I see millionaire executives spending stolen money for blow jobs by preteens in foreign countries. When I think of hacker crime I see a trail of empty Mountain Dew bottles and Cheetos bags. Hackers need to become filthy rich before they can play the courts like the big boys do.

Extreme cases aside, most hacking is like kids stealing cars to take 'em for joy rides. Sure, a few people get hurt by each crime, but it's not like you have a few hundred thousand stock holders who'll have to work 10 extra years before they retire because their portfolios are toast.

"The (majority) of the offenses are generally disgruntled employees getting back at the employer or trying to make money."

And how is this not serious? Destruction and blackmail are extremely serious and should not be tolerated in society.

Prison is not just rehabilitation. It is a deterrent. If there were little or no consequences to, say, wiping out a server just because you are mad you got fired then many many more people would do it. Consequentially companies would crack down hard on everyone and treat all employees like assumed criminals.

Most of the world we live in is based on trust. Most homes and businesses are relatively easy to break into. And if the consequences for such actions were light then more people would be trying it just for fun. And then home owners would have to put bars on their windows and constantly worry about keeping their house secure.

In fact, this is essentially what Slashdotters are recommending people do to their computers. Most people have better things to do with their lives than worrying about locking down their computer from hackers. How about the hackers say on their own boxes and stay the heck away from everyone elses!! If someone breaks into my computer, it is not MY fault the computer was easy to crack. It is the hackers fault for doing something they weren't supposed to do. And the hacker should go to jail for it, just as they would go to jail for breaking into my house and checking out all my stuff. I don't care if they steal anything or not, it is an invasion of my life and privacy!

I am sick of the hypocrisy Slashdot getting all up in arms about the Patriot Act and then worshipping Kevin Mitnick. At least I can vote against the Congressmen who supported the Patriot Act. I can't vote to keep Mitnick wannabes off my computer, except to vote to put them in jail where they belong.

People have always tended to be hysterical about that which they fear and don't understand. They see this "hacking" (it should be called "cracking" in this context, but that's a lost cause) as a vaguely defined but fearsome threat, regardless of the actual reality of harm, and clamor for the modern equivalent of witch burnings [washington.edu].

For example Mitnick had to be in solitary confinement because he could of launched a nuclear war from a pay phone! Just ask the FBI or the judge taking his case!

Its not like it takes an order from the president with full access codes to launch a strike or anything. Just a dialtone and a modem from the computer that lauches the strikes.

Also he could of obstructed justice by using a walkman or radio because he could of turned it into a hacking device. The fbi needed to take these priveldges away as well so he can stare at the walls and do nothing in his solitary confiment for 7 months while still technically inocent I may add. I mean screw John Gotti. This man is clearly more dangerous to our whole American way of life.

Also look at economic sabatoge and espianage caused by Jon Johnson from reading his own personal dvd's? The RIAA and the BSA claimed they lost over 9 billion a year because of piracy. Its a shame and we all know that these kids and college students can easily afford adobe photoshop, 3dStudioMax and all of Nsync's and britney spears artistic masterpieces of great music which is worth every penny of the price so it must be piracy! We need to stop these so called terrorists before they kill every man woman and child on earth. Hopefully some hardware based solution will be the salvation towards the problem.

Do we want the whole ecomomy to fall apart and lose millions of jobs because of lenient sentancing? Somebody please think about our children.

People feel marginalized when they don't understand even the basic concepts of what has happened

Therefore when a CEO realizes they have been hacked/cracked (you fight that out) they feel even more violated since they don't even understand how someone could get past all the hardware they bought and all those 45-100K+ people they have running around purporting to be computer experts.

Their anguish is then felt by atrtorneys who can't understand the crime, the criminals or why everyone is so upset. The one thing they do know is that THAT FAT GUY WITH THE UNKEMPT BEARD AND THE WIERD SHIRT THAT HAS THE FORMULA FOR HELL ON EARTH:

That a lot of the problem here is due to double standards and lack of accountability.

Joe Schmoe embezzles from his S&L firm for ten years, gets caught, and it is realized that he made off with 500K. He is slapped on the wrist, fired, made to "pay it back" on time deferred payments, or maybe stuck in a white collar prison/country club for a few years.

Mike, the l337 hacker from down the street, defaces Stuff-Marts web page, pointing out that Stuff-Mart buys 80% of its stuff from china, where it is made in forced child labor camps at gunpoint, and it is repaired in an hour.

Now.. Stuff Mart's lawyers tell the jury that they *potentially* lost MILLIONS due to the damage, (when in fact, they did not "lose" anything.. and there is no way to prove how many people would have bought during that time anyway). The SM lawyers also point out that it cost "an estimated 100K dollars to repair the damage!".. which means they just budgeted in A) the new server and colocation company to handle the site, B) the three person team who maintains and handles the site already, and C) all of their IT staff who received an Email about the "hack" and therefore were "working" on it.

Its all about what the jury wants to hear, and all about language.. "potential" is used ahead of "we could have potentially lost BILLIONS in sales!" but the judge/jury does not hear the "potential". Nor do they realize that 99% of that IT staff was already working there, doing their routine jobs, and had nothing to do with the repair anyway.

(Same reason a procedure at the hospital that took all of 15 minutes costs your insurance company as much as your house did.. funky accounting and everyone wanting to be "in" on the action.)

Yes.. but you have demonstrated he caused harm, therefore there *is* a foul. I wasnt saying that Cracking is always harmless.. but in some cases (defacing a web page) the cost of repair is as simple as bringing up the cached copy, re-installing it, and fixing the exploit (if known.)There is no way that cost a million dollars.

Cracking is tresspass at the least and theft at the most. It deserves jail time. The issue is how much jail time. The guy who hacked me should face at a minimum the legal penalty for breaking into my house and rifling through my file cabinet

No argument. Define trespass though. SOmeone walks across my yard, its "trespassing". Refusing to leave when I ask them too, is "Defiant trespass". Coming into my house after I tell them to leave is anything from Breaking and Entering to Forced Entry (depending on whether I am trying to stop them or not, I think) and theft is another layer on top of that. (Hence the laundry list of charges usually piled on a burglar).

Breaking into your house and rifling your file cabinet would probably NOT net me jail time for a first time offense. Especially if nothing was taken, and none of the information gained was used against you. Its more likely a fine, time served, probation kind of thing.

I beg to differ. When my house is compromised I know how many systems could have been targeted (7) and where my important information resides.

If I'm a big company, I might have dozens or thousands of boxes at risk. I might not have good forensic logs to tell me when the system was compromised or where the attackers went. I might not know the extent of the damage - in fact I probably will never know what important information was taken (if any) or where the important information resides.

Depending on the size of the organization it might take me months to figure out how to protect against this type of threat in the future, and I might have to spend tens to hundreds of thousands of dollars on software and consulting to help me be protected.

You might argue that we already have a staff of engineers, and that it's not fair to count their pay as cost for cleanup, but when they are cleaning up, they are not doing things that make my company money, just activities that might help my company to lose less money.

Millions? It's a definite possibility. You might have merely defaced my web presence, but you also might have inserted a trojan that would let you do a great deal of damage, or deface my web page again. I don't know, and figuring it out could cost a fortune.

>> The guy who hacked me should face at a minimum the legal penalty for breaking into my house and rifling through my file cabinet.

I agree he should be punished, but it isnt the same as breaking ito your house and rifling through your file cabinet. Break and enter is generally treated by cops and DA's as a violent crime - because burglars very often have every intent on harming someone who may be at home at the time.

A better analogy would be the clerk at the gas station who lifts your Visa number, or the guy who looks over your shoulder at a payphone or ATM to get your calling card/pin numbers. But hackers also have an element of trespassing and harassment. So maybe mix in a little of the guy who makes obscene phone calls in the middle of the night, or dumps his garbage on your lawn. Or maybe a postman who reads your mail (thats a big federal no-no as well)

In any case, saying the sentences are 'too harsh' or 'too light' is wrong IMO. This is what judges are for, to decide what punishment is appropriate on a case by case basis. Thats their job.

Personally, the thing that strikes me as most ridiculous is how clueless courts are when it comes to estimating how much loss the hacker caused.

From http://www.savage.net/public_html/net/phrack.html:

The following March a Federal grand jury was told that the document that Knight Lightning had printed in Phrack was worth 80 thousand dollars and was extremely dangerous to the public. The grand jury brought a Federal indictment against Knight Lighting. He faced 31 years in prison for the interstate transportation of stolen property, wire-fraud and violations of the computer fraud and abuse act.

"In July of 90 we went to court...the witnesses took the stand to try and prove that I had not just committed the crimes they were saying i committed, but to prove that the actions I took were crimes in the first place. The defense never had to put on a single witness, by the end of the week, the governments case had completely fallen apart. The now famous 80 thousand dollar E-911 document was proven to be [publicly] available for no more than 13 dollars from Bellcore."

This guy was accused of stealing 80 grand when in reality it was worth 13 dollars!!!

From the article: However, the paper argues that the increase in prosecutable "crimes" could have a chilling effect on security researchers and industry. Security researchers who uncover and disseminate information on vulnerabilities could be charged for their activities. Companies that send unsolicited bulk e-mail could be convicted of unauthorized access. And, makers of faulty software could be liable for the transmission of harmful code.

A chilling effect on companies that send unsolicited bulk e-mail, huh? This has got to be the coolest chilling effect I've ever heard of!

And as far as the last sentence goes, don't we all know that Microsoft has been guilty of terrorism for a long time now?

My (ex-)girlfriend works at a bank. Her bank branch has never been robbed before, but take the following into account:

a) Most Bank robbers wouldn't know what bait/dyepacks would look like if it was sitting in front of their faceb) If the tellers just grab their bait, the robber's getting away with ~$83 per tellerc) Some Bank Tellers have their own 'valuts' (Bank tellers buy and sell money from the bank vaults to their cash drawers. Some banks differ in how much money they're permitted to have in their drawer, or don't permit their tellers to have locked valuts.

Let's say I'm Jon-BankRobber. I walk in with my gun, flash it around, walk out with ~$300 bucks (~$80 x 4 bank tellers), caused some bank tellers to quit their jobs/go into therapy/become really depressed. I go to Court, visit the Judge, who gives me ten years.

Now, let's look at Joe-31337h4x0rd00d. I break into my bank's tellering system, create an account, and either blatently (to the fact that it comes up on the next day's report) or sneakily (penny-slicing) steal money. I can get away with much much more, but for the sake of keeping things same, I only take $300.

When Joe-Hacker goes to the judge, he's going to get a max of 6 months. Non Violent Crime, Under $500 (no felony), no gun. (this is assuming that they don't get him with electronic tresspass)

If they're looking to give hackers/crackers a free ride, it won't happen. If they're trying to equal things...just make the same crime punishable by the same punishment. Rob a bank or Crack a bank, go to jail for up to ten years.

I know some of you will poke holes in this, but the average white-collar-criminal just doesn't go to prison, unless you've pissed someone really off, or really f*cked up.

Eh, either I'm utterly confused as to where you're going with this, or you answered your own argument.

Non-violent crime (and that's crime without *threat* of violence, not just without actual violence -- i.e. threatening you with a gun does not count as non-violent, even if I never shoot it -- even if it turns out later that it wasn't loaded) is (usually) punished less harshly. And for reason -- violence has impact. I'd argue that you causing even one or two of those tellers significant trauma is a far far greater ramification of your actions than the $300

Not to mention, there are probably customers that were in the bank as well.

Cracking the bank only traumatized the sysadmin. And having been in both situations, well, it's not even comparable.

You're right about white collar criminals, and I think *that* is fucked up, at the same time, cracking can't (at least in the vast majority of cases) be compared to violent crime.

I've had the unfortunate opportunity to learn a little about how federal penalties work. It's all based on a point system. A certain number points for the crime, points if you have a prior record of anything in the past 10 years (state or federal), subtracted points for taking a plea, etc. Then they add them all up and use a chart to determine the range of sentences they can give you.

And for copyright cases, they automatically tack on 4 points if a computer was involved.

As is very, very often the case with human nature, people lash out against the unknown. In the case of computers, hackers are very much a mystery to normal people. How many techs out there have seen a person's computer malfunctioning for various reasons (usually windows, or bad RAM, or the fact that they've install kazaa and a million other crapware loaded programs) - and they automatically assume it's been haxored and/or infected with a virus?

When it comes to computers, most people are hypocrondriacs (sp?). And what do people do when they fear something unknown, they lash out against it.
Many people on computers today are affected by spam, viruses, and other issues. Their solution, nail the bastards, put them somewhere - it doesn't matter where, so long as they can't cause me trouble - and jail is a seemingly optimal location for this.

On the flipside, for kiddies who build idiotic viruses that knock down routers worldwide and cause general chaos, I think that many of the users here on slashdot would be very happy to see them lynched. We have to seperate major disruptions and white-collar criminals from the kids who write "H4XOR3D BY 133TM4N" on a website.

Penalties for posession and distribution of cocaine are much lower than the penalties for similar crimes involving crack cocaine. Lots of people have speculated that the reason for this is that white and/or wealthy cocaine users do not use crack, while black and/or poor cocaine users do. Wealthy white people make the laws, so the penalties are lower for crimes that memebers of their social circle are likely to commit.

A similar mechanism might be at work here. Lawyers and businessmen write the laws, so so-called white collar crimes like fraud tend to have low penalties. Lawyers and businessmen do not hack, so the penalties for crimes that involve hacking tend to be higher.

is that the term hacking sounds bad. It's what crazed men in hockey masks with machete's do to college coeds. What we need to do is change the term to something like "Fluffin' the Bunny". Who'd think that's bad?

Here's an example:Stan was arrested for computer hacking.
Judge: Give him 15 years solitary.

Stan was arrested for Fluffin' the Bunny
Judge: That's so nice what you did for that bunny. You're free to go.

The entire legal system is grappling with this new world. Too many lawyers are luddites who can barely program their phones, much less comprehend what "hacking" (sic) is all about. And, worse, so are the judges who oversee their trials. And the juries that weigh the evidence. And the media that covers the trials.

I dunno, it's a little disheartening to be an aspiring lawyer when I've heard of a firm that prides itself on defending those accused of computer crimes has a password policy that mandates a particular format for your network passwords, and that your password always be provided to your assistant.

Quoth the Rave,,, err, Anonymous Coward:"Oh, well, in that case, since it's ONLY fraud, might as well let them go free."

You didn't understand the argument, or didn't bother to read it, at least. They're not saying computer criminal should "go free," but that the harshness of their punishments should be similar to the punishments meted out for similar crimes not involving computers. Is that really so difficult to support?

there are harsher punishments for drug possesion than many other crimes including child molestation here in the US. We still have more drug users than child molesters so your argument doesnt neccesarily hold.

My opinion is, if you keep the punishment higher, people are less likely to do it. In other countries, people are shot by a firing squad if they get caught DUI. Therefore, less people drive drunk and no accidents. Same principal applies here. Not saying we should shoot hackers:-), but that if the punishment is steep, maybe it would detere illegal hacking.

If that logic is pursued, just make every crime, from littering and jaywalking on up, a capital offence. That would deter ALL crime. Sounds idyllic, doesn't it?

The point the lawyers are making is that the penalty should be in relation to the harm caused, not multiplied merely because it somehow involved a computer. Whether you defraud using a fountain pen or a PC, the penalty should be the same.

So, if a virus wastes a half million man hours worth of human production, figuring for both files lost, cleaning it from systems, and a prorated amount for the effort/energy/and money poured into the creation of patches/antivirus software.. can we apply the death penalty to the virus author?

It probably has more to do with the current importance computers have in our society/economy. We have gone away from a production based economy to a service based economy that relies HEAVILY on compuer infrastructure. Since computer crimes actually aren't that difficult to pull off, the powers that be don't want them to get out of hand and erode confidense in the base infrastructure.

100 years ago before the automobile became dominant, society & the economy depended quite a bit on horses. As such, you would be hung for stealing a horse, not because it's such a horrible offense, but because if the punishment wasn't really stiff excess horse theivery would probably have actually undermined the stability of society. Who would want that!

100 years ago before the automobile became dominant, society & the economy depended quite a bit on horses. As such, you would be hung for stealing a horse, not because it's such a horrible offense, but because if the punishment wasn't really stiff excess horse theivery would probably have actually undermined the stability of society. Who would want that!

Actually, horse thievery was a horrible offense. If you're out west and someone steals your horse, you have a good chance of dying from it. It's several miles to the next neighbor or settlement, and there are hostile indians about. If you're down south, there's also the problem of being stranded in a desert.